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Abstract  Iff  • 

We  consider  incomplete  trace-based  network  proof  systems  for  safety  properties, 
identifying  extensions  that  are  necessary  and  sufficient  to  achieve  relative  completeness. 
W*  then  consider  the  expressiveness  requited  of  any  trace  logic  that  encodes  these 
extensions.  I'f,..,.  /Jr-  ■  / 
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In  trace-based  network  proof  systems,  one  specifies  and  reasons  about  traces  (histories)  of 
the  values  transmitted  along  the  communication  channels  of  the  networks  under  consider¬ 
ation.  Such  proof  systems  generally  allow  specifications  for  networks  to  be  deduced  from 
specifications  for  the  networks’  components.  Network  proof  systems  based  on  first-order 
predicates  over  channel  traces  are  given  in  [CH81,Hoa85,MC81],  but  unfortunately  these 
logics  are  incomplete  [BA81,Ngu85].  Relative  completeness  can  be  achieved  by  permitting 
reasoning  over  the  full  interleaving  of  communication  events  in  addition  to  the  individual 
channel  traces  [Bro84,HH83,ZdRvEB85]  or  by  using  temporal  logic  predicates  so  that  the 
interleaving  is  implicitly  present  in  the  semantics  of  the  specifications  [NDG086].  Both  ap¬ 
proaches  introduce  more  information  than  necessary,  the  modifications  tend  to  be  extensive 
and  cumbersome,  and  the  simplicity  of  the  underlying  trace  logic  is  lost. 

In  this  paper,  a  simple  but  logically  incomplete  trace-based  proof  system  for  safety 
properties  is  defined.  This  logic  is  representative  of  other  incomplete  trace-based  network 
proof  systems  appearing  in  the  literature.  Two  example  networks  are  presented  to  show 
incompleteness  of  our  logic.  Surprisingly,  both  examples  consist  of  only  one  process,  indi¬ 
cating  that  while  compositionality  is  an  important  feature  of  trace-based  systems,  network 

‘This  papet  is  based  on  portions  of  Widom’s  Cornell  University  Ph.D.  thesis.  The  work  was  supported 
in  part  by  the  National  Science  Foundation  under  grants  DCR-8J20274  and  CCR-8701103.  Schneider  is 
also  supported  by  the  Office  of  Naval  Research  under  contract  N00014-86-K-0092  and  by  Digital  Equipment 
Corporation.  Any  opinions,  findings,  and  conclusions  or  reconunendations  expressed  in  this  publication  are 
those  of  the  authors  and  do  not  reflect  the  views  of  these  agencies. 
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composition  is  not  the  cause  of  incompleteness.  Our  examples  suggest  two  extensions  that 
are  necessary  for  relative  completeness;  we  show  that  these  two  extensions  are  sufficient  as 
well.  The  first  source  of  incompleteness  we  identify  is  the  inability  to  state  and  reason  about 
constraints  on  the  ordering  of  network  events.  The  second  source  is  the  inability  to  assert 
that  the  sequence  of  values  transmitted  along  a  communication  channel  is  always  a  prefix  of 
that  chaimel's  sequence  at  some  later  point.  We  argue  that  these  two  properties — the  tem¬ 
poral  ordering  and  prefix  properties — must  be  part  of  any  relatively  complete  trace-based 
proof  system. 

The  temporal  ordering  and  prefix  properties  cannot  be  expressed  in  a  logic  based  on 
first-order  predicates  over  channel  traces.  However,  they  can  be  expressed  using  only  a 
subset  of  temporal  logic,  indicating  that  the  full  power  of  temporal  logic  (or  of  explicit 
reasoning  over  the  interleaving  of  communication  events)  is  not  needed.  We  explore  the 
exact  expressiveness  required  of  a  trace  logic  if  it  is  to  be  used  for  a  relatively  complete 
network  proof  system.  We  introduce  a  hierarchy  of  subsets  of  temporal  logic  and  show 
that  a  subset  consisting  of  first-order  predicates  over  traces  with  a  version  of  the  linear¬ 
time  temporal  Always  operator  has  necessary  and  sufficient  expressive  power  for  relative 
completeness. 

Section  2  defines  the  class  of  synchronous  process  networks  used  in  the  remainder  of  the 
paper.  A  formal  model  of  computation  is  introduced  to  facilitate  subsequent  reasoning  about 
network  behavior  and  proof  systems.  In  Section  3,  we  define  Simple  Network  Logic  (SNL), 
a  trace- based  network  proof  system  that  captures  the  essence  of  most  such  systems.  In 
Section  4,  we  show  that  SNL  is  incomplete,  define  the  temporal  ordering  and  prefix  axioms, 
and  prove  that  they  are  necessary  and  sufficient  for  relative  completeness.  In  Section  5, 
we  consider  the  expressiveness  required  to  achieve  relative  completeness  in  any  trace-based 
proof  system.  We  use  a  logic  that  permits  reasoning  over  the  interleaving  of  communication 
events  to  construct  a  formula  that  exactly  characterizes  the  required  expressiveness.  A 
hierarchy  of  temporal  logic  subsets  is  then  defined,  along  with  a  mapping  from  temporal 
logic  formulas  to  formulas  in  the  interleaving  logic.  The  mapping  is  used  to  identify  a 
subset  of  temporal  logic  with  exactly  the  right  expressive  power  for  relative  completeness. 
In  Section  6,  we  describe  how  to  generalize  our  model  and  proof  system  for  hierarchically 
structured  networks — networks  in  which  component  processes  may  be  implemented  as  sub¬ 
networks.  We  show  that  our  expressiveness  and  completeness  results  are  not  affected  by 
this  generalization.  Finally,  in  Section  7,  we  sununarize  and  explain  how  our  results  relate 
to  previous  research. 
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2  Process  Networks 


Consider  networks  of  processes  that  communicate  and  synchronize  solely  by  message  pass¬ 
ing.  Processes  and  communication  channels  are  uniquely  named.  Each  channel  is  either 
internal  or  external  with  respect  to  a  network.  An  internal  channel  connects  two  processes 
of  the  network;  an  external  charmel  is  connected  to  only  one,  permitting  commumcation 
between  the  network  and  its  environment.  Channels  are  unidirectional,  and  commumca¬ 
tion  along  them  is  synchronous,*  so  both  processes  incident  to  an  internal  channel  must  be 
prepared  to  communicate  before  a  value  is  actually  transmitted.  Without  loss  of  generality, 
we  assume: 

•  Input  or  output  on  an  external  channel  occurs  whenever  the  single  incident  process  is 
ready. 

•  Each  message  transmission  occurs  instantaneously. 

•  Two  message  transmissions  caimot  occur  simultaneously.  Thus,  there  is  a  total  order 
on  the  communication  events  of  a  given  computation. 

•  There  is  a  fixed  domain  of  values  that  can  be  transmitted  on  communication  channels. 
Processes  send  and  receive  values  in  this  domain  only. 

A  network  made  up  of  processes  Pi,  Pi,...,  Pn  is  denoted  by  PillFzIl'-’ll^nt  indicating 
parallel  execution  of  Pi,  P^,...,  Pn.  Fig.  1  illustrates  a  network  of  three  processes  and  six 
communication  chaimels.  Subsequently,  we  use  the  term  network  to  refer  to  either  a  single 
process  or  a  network  composed  of  several  processes.* 

2.1  Model  of  Computation 

To  reason  about  proof  systems  for  networks,  we  introduce  a  formal  model  of  network  be¬ 
havior.  A  single  point,  or  state,  during  the  computation  of  a  network  is  represented  by 
the  histories  of  the  network's  communication  channels  up  to  that  point.  (The  model  does 
not  include  internal  process  state,  since  internal  computations  of  processes  are  ummportant 
when  reasoning  about  network  behavior,  except  as  they  affect  values  sent  and  received.)  A 

'  Extension  to  asynchionous  message-passing  is  straightfoiwaid  and  does  not  affect  oui  results  [Wid87]. 

’Although  we  assume  here  that  networks  are  composed  directly  of  primitive  processes,  our  work  easily 
generalises  to  a  hierarchical  structure  in  which  processes  may  be  implemented  as  sub-networks  [Wid87]. 
This  generalisation  is  discussed  in  Section  6. 
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Figure  1:  A  network  of  processes 


single  computation  is  represented  by  an  infinite  sequence  of  states,®  subject  to  constraints 
on  the  initial  state  and  between  each  pair  of  adjacent  states.  The  behavior  of  a  network  is 
represented  by  the  set  of  all  sequences  representing  its  possible  computations. 

We  now  formalize  the  model.  A  trace  of  a  communication  channel  c  is  a  fimte  sequence 
(c.l,  C.2, . . . ,  c.k)  of  values  that  have  been  transmitted  along  channel  c  up  to  some  point  in 
time.  An  empty  trace  is  denoted  by  {).  Let  iV  be  a  net  won.  with  incident  chaimels  ci,  cj, . . ., 
Ctn.  A  state  of  iV  is  a  tuple  containing  a  trace  for  each  chaimel  c\,  C2, . . .,  Cm*  A  computation 
of  IV  is  an  infinite  sequence  of  states  of  N  such  that  all  channel  traces  are  empty  in  the 
initial  state  and  each  subsequent  state  extends  at  most  one  trace  of  the  preceding  state  by 
at  most  one  element  (i.e.  at  most  one  message  transmission  occurs  between  each  pair  of 
states).  Thus,  an  infinite  sequence  of  states  can  represent  a  computation  iff  the  following 
four  computation  conditions  are  satisfied: 

CCl.  All  traces  are  empty  in  the  initial  state. 

CC2.  Each  trace  in  each  state  of  the  sequence  is  a  prefix  of  the  corresponding  trace  in  the 
subsequent  state. 

CC3.  The  length  of  each  trace  in  each  state  of  the  sequence  (except  the  first)  is  at  most  one 
more  than  the  length  of  the  corresponding  trace  in  the  preceding  state. 

CC4.  At  most  one  trace  changes  between  every  state  and  its  subsequent  state. 

’We  choose  only  infinite  sequences  since,  for  our  purposes,  any  finite  sequence  can  be  converted  into  an 
equivalent  infinite  sequence  by  indefinitely  repeating  the  final  state  [MP81,Wid87). 
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The  computation  set  for  N  is  the  set  of  all  computations  representing  potential  execution 
sequences  of 

We  show  that  our  computational  model  is  compositional — the  set  representing  the  be¬ 
havior  of  a  network  can  be  constructed  from  the  sets  representing  the  behavior  of  the  net¬ 
work’s  component  processes.  Let  JV  be  a  network  composed  of  Pi,...,Pn-  l-ct 
C5( Pi CS(Pn)  denote  the  computation  sets  for  Pi,...,Pn,  respectively.  CS{N),  the 
computation  set  for  iV,  can  be  computed  directly  from  C’5(Pi C'5(P„)  as  follows.  Sup¬ 
pose  «  is  a  computation  of  N.  Define  Proj(K,Pi)  to  be  the  projection  of  k  onto  those 
channels  of  N  incident  to  P^;  that  is,  Proj{K,  Pi)  removes  from  the  states  of  «  all  traces  of 
channels  in  N  not  incident  to  Pi.  CS{N)  is  the  set  of  all  computations  k  built  from  possible 
states  of  N  such  that 

•  PToj{K,  Pi)  €  CSl(Pj),  i  =  l..n,  and 

•  K  satisfies  conditions  CC1-CC4  above- 

Informally,  then,  the  computations  of  N  are  all  possible  well-formed  combinations  of  the 
computations  of  N's  component  processes  in  which  commumcations  on  shared  channels 
agree. 

3  Simple  Network  Logic 

We  now  introduce  a  formalism,  Simple  Network  Logic  (SNL),  for  specifying  and  verifying 
safety  properties  [Lam77]  of  networks  of  processes.  SNL  concisely  captures  the  essence  of 
most  trace-based  proof  systems. 

A  specification  is  a  first-order  predicate  over  channel  traces;  it  is  intended  to  be  satisfied 
throughout  every  execution  of  the  network  it  specifies  [CH81,Hoa85,MC81].*  A  charmel 
name  c  appearing  as  a  free  variable  in  a  specification  represents  the  trace  of  c.  We  use  jc] 
to  denote  the  length  of  c  and  cl  C  c2  to  denqte  that  trace  cl  is  a  prefix  of  trace  c2. 

A  specification  for  a  network  N  is  a,  predicate  (p  over  the  traces  of  N's  commumcation 
channels.  (The  only  free  variables  permitted  in  specifications  for  N  are  those  corresponding 

^Our  definition  allows  arbitrarily  many  (adjacent)  repetitions  of  any  state  in  a  computation  sequence, 
producing  a  very  large  computation  set  for  a  network.  In  particular,  if  a  given  computation  is  in  a  compu¬ 
tation  set,  then  so  is  that  computation  with  any  state  repeated  once,  repeated  twice,  repeated  three  times, 
etc.  Permitting  this  repetition  facilitates  subsequent  definitions  and  proofs  without  affecting  the  usefulness 
of  the  model. 

‘ActuaUy,  in  [MC81],  specifications  consist  of  predicate  pairs,  but  for  our  purposes  it  is  adequate  to 
consider  only  single  predicates  that  remain  invariant  throughout  a  computation  [Wid87]. 
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to  channels  of  TV.)  We  say  that  N  satisfies  0,  written  N  sat  0,  if,  at  every  point  during  any 
computation  of  TV,  the  traces  of  values  transmitted  on  TV’s  channels  satisfy  <j>.  For  example, 
consider  a  process  (or  network)  TV  that  repeatedly  reads  an  integer  from  channel  cl  and 
sends  its  successor  on  channel  c2.  This  behavior  can  be  specified  in  SNL  as 

TV  sat  (lcl|  -  1  <  |c2|  <  |cll)  A  (Vt:  1  <  i  <  |c2|:c2.t  =  cl.i  +  1). 

Some  network  proof  systems  provide  facilities  for  constructing  specifications  for  sequen¬ 
tial  primitive  processes  [CH81,Hoa85,ZdRvEB85].  In  others,  it  is  assumed  that  existing 
logics  for  sequential  programs  can  be  used  for  this  or  that  specifications  for  primitive  pro¬ 
cesses  are  given  [Jon85,MC81,NDG086).  Without  loss  of  generality,  we  adopt  the  latter 
approach.  Thus,  we  are  interested  only  in  deducing  specifications  for  a  network  from  spec¬ 
ifications  for  its  component  processes.  Consequently,  we  assume  that  the  axioms  of  SNL 
contain  all  formulas  P  sat  0,  where  F  is  a  primitive  process  and  <f>  is  &  valid  specification 
for  P,  i.e.  <i>  is  satisfied  by  every  execution  of  P. 

Specifications  for  networks  can  be  derived  from  specifications  for  their  component  pro¬ 
cesses  using  the  following  inference  rule  of  SNL; 

Definition  3.1  (Network  Composition  Rule) 

P\  sat  01,  Pa  sat  <l>2,  Pn  sat  <^n 
Pi||Pj|l...||P„8at 

Conjoining  process  specifications  using  this  rule  results  in  “linking”  any  shared  channels  in 
network  TV  because  in  (pi  all  c’s  (say)  denote  the  same  channel  trace. 

We  also  need  a  rule  for  deducing  valid  specifications  for  a  network  from  other  valid 
specifications,  since  several  valid  specifications  may  exist  for  a  given  network.  For  this,  we 
use  the  SNL  Consequence  Rule: 

Definition  3.2  (Consequence  Rule) 

TV  sat  (pi,  (pi  =>  <p2 
TV  sat  <p2 

(Note  that  this  rule  relies  on  the  validity  of  (pi  =>  <p2,  which  is  a  formula  of  the  underlying 
trace  logic.  This  aspect  of  the  proof  system  is  discussed  below.) 

These  two  rules,  or  variants  thereof,  form  the  the  basis  of  most  trace-based  systems  we 
know  of,  including  [CH81,Hoa85,MC81,NDG086,Zwi88l. 


6 


3.1  Soundness  and  Completeness 

We  can  use  the  computational  model  introduced  in  Section  2.1  to  prove  that  SNL  is 
sound  [AptSlj:  if  N  sat  ^  is  a  theorem  of  SNL,  then  4>  is  indeed  valid  for  network  N. 
To  do  so,  we  must  first  define  validity  of  specifications  with  respect  to  computations  in  the 
formal  model.  Recall  that  for  a  network  fV,  CS{N)  denotes  the  set  of  all  computations 
corresponding  to  N's  possible  behaviors.  A  specification  (p  is  valid  for  iV  iff  ^  is  true  in 
every  state  of  every  computation  in  N's  computation  set. 

Definition  3.3  (Validity  of  Specifications)  Specification  <l>  is  valid  for  network  N  iff 
K.i  1=  for  all  «  €  CS{N)  and  i  >  0,  where 

•  K  =  {«.0,  «.l,  /C.2, . . .);® 

•  K.i  1=  <!>  holds  iff  the  charmel  traces  in  K.i  satisfy  <}>.  H 
Using  this  definition  we  establish  the  soundness  of  SNL. 

Theorem  3.4  (Soundness  of  SNL)  Let  fV  be  a  network  and  a  specification  such  that 
N  sat  0  is  a  theorem  of  SNL.  Then  <p  is  valid  for  N. 

Proof:  See  appendix.  8 

We  would  also  like  SNL  to  be  complete:  if  any  specification  (j>  is  valid  for  a  network  N, 
then  N  sat  p  is  provable  in  SNL.  However,  an  additional  assumption  must  be  made.  A 
specification  for  a  network  is  derived  from  specifications  for  its  component  processes  using 
the  Network  Composition  Rule.  If  the  given  process  specifications  are  valid  but  too  weak, 
then  a  valid  network  specification  might  not  be  provable.  What  we  really  want  to  know  is 
whether  N  sat  <p  can  be  proven  when  the  specifications  for  N's  component  processes  are  as 
“strong”  as  possible  (Jon85,NDG086|. 

Definition  3.5  (Precise  Specifications)  A  specification  <p  is  precise  for  a  network  N  iff 

1.  0  is  valid  for  N,  and 

2.  if  K  is  any  computation^  containing  traces  for  the  channels  in  N  and  K.j  1=  0  for  all 
j  >  0,  then  K  6  CS{N).  8 

*Note  that  indexing  of  computations  begins  with  0  while  indexing  of  channel  traces  begins  with  1.  This 
notation  facilitates  subsequent  definitions  and  proofs. 

^Recall  from  Section  2.1  that  a  computation  is  an  infinite  sequence  of  states  such  that  the  initial  state 
contains  only  empty  channel  traces  and  each  subsequent  state  extends  at  most  one  trace  of  the  preceding 
state  by  at  most  one  element. 
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Figure  2:  Simple  network 

Thus,  a  specification  is  precise  if  it  is  valid  and  if  every  computation  satisfying  the  specifi¬ 
cation  is  a  possible  computation  of  the  network  being  specified.  For  completeness,  we  are 
interested  in  proving  N  sat  (f>  whenever  4)  is  valid  and  the  specifications  for  the  processes 
in  iV  are  precise. 

The  SNL  Consequence  Rule  relies  on  the  validity  of  formulas  in  the  specification  language 
of  SNL.  SNL  specifications  can  involve  elements  of  the  data  domain  from  which  messages 
are  drawn,  sequences  of  such  elements  (the  channel  traces),  and  lengths  of  sequences.  Since 
arithmetic  itself  is  incomplete  [Sch67j,  a  valid  assertion  might  not  be  provable  in  any  logic. 
Therefore,  when  designing  a  program  proof  system,  one  aims  for  relative  completeness  (as 
in  [Coo78)):  Assuming  that  one  can  prove  any  valid  formula  of  the  underlying  logic  which 
in  this  case  is  a  trace  logic  that  inchides  predicate  logic,  arithmetic,  and  the  data  domain 
of  the  network  being  considered — is  the  proof  system  complete?®  SNL  is  not  relatively 
complete,  as  we  now  show. 

4  Incompleteness  of  Simple  Network  Logic 

We  give  two  examples  to  show  the  incompleteness  of  SNL.  Each  example  illustrates  an 
inherent  property  of  network  behavior  that  cannot  be  expressed  in  SNL  but  is  necessary  for 
relative  completeness  in  a  trace-based  proof  system. 

4.1  Temporal  Ordering  Property 

Consider  the  single-process  network  of  Fig.  2.  As  an  informal  description  of  process  P  we 
are  given  four  facts:  (1)  P  reads  at  most  one  value  from  channel  c;  (2)  P  reads  at  most  one 
value  from  channel  d;  (3)  P  reads  a  value  from  c  before  reading  from  d;  (4)  P  reads  a  value 
from  d  before  reading  from  c.  By  direct  translation,  a  formal  specification  is 

P  sat  01 :  Id  <  1  A  |d|  <  1  A  \d\  <  |c|  A  |c|  <  |d|.  (1) 

'Most  proof  systems  make  assumptions  about  both  the  provability  of  statements  in  the  underlying  logic 
and  the  expressiveness  of  the  specification  language  involved.  This  is  sometimes  referred  to  as  Cook  com- 
pletentsM  (AptSl.CooTS).  We,  too.  have  made  an  expressiveness  assumption  in  our  supposition  that  precise 
specifications  for  primitive  processes  can  be  written  in  SNL.  The  reader  might  convince  himself  that  out 
language  is  powerful  enough  to  express  precise  specifications  for  a  large  class  of  processes. 
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Let  the  data  domain  for  this  network  be  {a}.  The  following  specification  is  valid  for  P  and 
is  equivalent  to  (1): 

P  sat  <^2'-  (c  =  0  A  d  =  ())  V  (c  =  (a)  A  d  =  (a})  (2) 

P  is  always  in  one  of  two  states:  either  no  values  have  been  read  from  c  or  d  or  a  value  a 
has  been  read  from  each.  However,  since  two  values  cannot  be  transmitted  simultaneously 
(condition  CC4  from  Section  2.1),  P  can  reach  a  state  in  which  (c  =  (a)  A  d  =  (a))  only  by 
being  in  a  state  in  which  either  (c  =  (a)  A  d  =  ())  or  (c  =  ()  A  d  =  (a)),  neither  of  which  is 
permitted  by  specification  (2)  (or  specification  (1)).  Thus,  P  will  never  read  a  value  from 
either  c  or  d,  so  a  third  valid  and  equivalent  specification  for  P  is 

P  sat  ^3:  c  =  0  A  d  =  ().  (2) 

All  three  specifications  are  valid  and,  in  fact,  precise.  Any  computation  satisfying  <f>\, 
<j)2i  or  ^3  is  a  computation  of  P — no  values  are  ever  read  on  c  or  d.  However,  consider 
an  attempt  at  proving  (3)  given  precise  specification  <j>i  (say)  of  (2).  Since  there  is  only 
a  single  process,  the  Network  Composition  Rule  is  irrelevant — the  only  SNL  inference  rule 
applicable  is  the  Consequence  Rule.  But  (^2  <i>i  does  not  hold.  Hence  (3)  is  unprovable 
from  (2),  even  though  it  is  valid. 

We  need  a  way  to  formalize  the  reasoning  about  event  ordering  used  to  obtain  specifi¬ 
cation  (3).  It  must  assert  the  following  property. 

DeRnition  4.1  (Temporal  Ordering  Property)  Suppose  cl  and  c2  are  channels  of  a 
network  N ,  cl.i  and  c2.y  are  transmitted  as  a  result  of  distinct  cominumcation  events,  and 
in  any  computation  of  N 

1.  cl.z  is  transmitted  before  c2.y,  and 

2.  c2.y  is  transmitted  before  cl.z. 

Then  (|cl|  <  z  A  |c2|  <  y)  holds  throughout  any  computation  of  N — neither  message  is 
ever  transmitted.  B 

Formalizing  this  property  would  allow  0$  to  be  deduced  from  <f>2^  making  (3)  provable 
from  (2).  Unfortunately,  the  Temporal  Ordering  Property  cannot  be  expressed  in  the  trace 
logic  underlying  SNL.  This  is  discussed  further  in  Section  4.4.1  and  is  proven  in  Section  5. 


4.2  Prefix  Property 

Consider  the  network  of  Fig.  3.  Suppose  {o,  is  the  data  domain  and  let  a  precise  specifi 
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Figure  3:  Very  simple  network 


cation  for  process  P  be 

P  sat  04:  c  =  0  V  c  =  (a)  V  c  =  {b,a).  (^) 

Since  P  sends  one  value  at  a  time  on  channel  c  (condition  CC3  from  Section  2.1),  disjunct 
c  =  (6,  a)  can  never  hold.  (It  would  hold  only  if  c  =  (b)  held  first,  and  this  is  prohibited  by 
04.)  Therefore  (4)  can  be  simplified  to 

P  sat  05:  c  C  (o). 

However,  04  does  not  imply  05,  so  (5)  cannot  be  proven  from  precise  specification  (4).  Here 
we  need  the  following  property. 

Definition  4.2  (Prefix  Property)  For  any  channel  c  and  integers  0  <  x  <  y,  the  trace 
of  c  after  x  values  have  been  transmitted  is  always  a  prefix  of  the  trace  of  c  after  y  values 
have  been  transmitted.  B 

By  using  this  property  in  conjunction  with  04,  we  could  eliminate  disjunct  c  =  {b,  a)  and 
obtain  (5).  Like  the  Temporal  Ordering  Property,  however,  the  Prefix  Property  cannot  be 
expressed  in  the  trace  logic  underlying  SNL. 

4.3  Incorporating  the  Properties  in  SNL 

Consider  any  SNL  proof  that  establishes  N  sat  <f>  for  a  network  N  =  Pill  •  •  As 

axioms,  we  are  given  Pi  sat  0i, . . .,  Pn  sat  0„,  where  0i, . . .,  0n  are  precise.  The  first  rule 
to  be  applied  in  any  such  proof  is  the  Network  Composition  Rule,  so  we  immediately  infer 
N  sat  0i.  All  remaining  steps  in  the  proof  have  to  be  applications  of  the  Consequence 
Rule.  By  transitivity  of  implication,  any  string  of  Consequence  Rule  applications  can  be 
collapsed  into  one,  so  N  sat  0  is  provable  iff  ^  <t>  (a  formula  of  the  underlying  trace 
logic). 

By  the  following  theorem,  we  know  that  specification  0,  is  precise  for  N  the  conjunc¬ 
tion  of  precise  process  specifications  results  in  a  network  specification  that  is  also  precise. 
(A  similar  theorem  for  a  different  logic  is  proven  in  [NDG086].) 

Theorem  4.3  (Preciseness-Preservation)  Let  0,  be  a  precise  specification  for  P,, 
1  <  i  <  n,  and  let  iV  =  P,  1|  •  || P„.  Then  A.  <t>i  ‘S  a  precise  specification  for  N . 
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Proof;  See  appendix.  H 

Thus,  our  proof  system  would  be  relatively  complete  if  (t>\  =>  </>2  whenever  (f>\  is  a  precise 
specification  for  a  network  N  and  ^2  is  ®  valid  specification  for  N .  However,  the  examples 
given  in  Sections  4.1  and  4.2  illustrate  that  this  implication  does  not  always  hold. 

To  obtain  a  relatively  complete  system,  the  implication  in  the  hypothesis  of  the  Conse¬ 
quence  Rule  must  be  modified  so  that  all  valid  specifications  can  be  deduced  from  precise 
specifications.  We  do  this  by  strengthening  the  antecedent  of  the  implication  adding  a  set 
of  axioms  such  that  if  A  (say)  is  the  conjunction  of  axioms  in  the  set,  then  (^1  A  i4)  =>  ^2 
whenever  and  02  are  precise  and  valid,  respectively,  for  a  given  network.  The  Temporal 
Ordering  and  Prefix  Properties  are  the  basis  for  such  a  set  of  axioms. 

4.4  Temporal  Ordering  and  Prefix  Axioms 

We  now  prove  that  axiomatizations  of  the  Temporal  Ordering  and  Prefix  Properties  are 
necessary  and  sufficient  for  deducing  02  from  0i  whenever  0i  and  02  are  precise  and  valid, 
respectively,  for  a  given  network.  There  is  a  fundamental  difference,  however,  between  any 
axiomatization  of  the  Temporal  Ordering  (or  Prefix)  Property  and  specifications  0i  and 
02;  event  ordering  is  considered  with  respect  to  an  entire  computation,  while  0i  and  02  are 
considered  with  respect  to  the  individual  states  of  a  computation.  Since  (0i  A  i4)  ^  02 
must  be  considered  with  respect  to  entire  computations,  we  introduce  an  operator  □,  which 
converts  specifications  to  being  over  computations;  □  0  is  valid  for  a  computation  iff  0  is 
true  in  every  state  of  that  computation.®  That  is: 

«  1=  □  0  iff  K.i  1=  0  for  all  t  >  0 

(Note  that  by  Definition  3.3  of  validity  of  specifications,  specification  0  is  then  valid  for  a 
network  N  iff  k  |=  □  0  for  every  k  in  the  computation  set  of  N .)  Using  □,  we  modify  the 
Consequence  Rule  as  follows. 

Definition  4.4  (Modified  Consequence  Rule) 

N  sat  01,  (□  01  A  /!)=>□  02 
N  sat  02 

Now  we  consider  the  axioms  comprising  A. 

’This  is  a  weakened  version  of  the  “always",  or  “henceforth”,  operator  (also  O)  of  temporal  logic  [MP81. 
MP82],  since  4  cannot  contain  other  temporal  operators.  Temporal  operators  of  varying  strengths  are 
discussed  briefly  in  Section  4.4.2  and  at  length  in  Section  5. 
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4.4.1  Temporal  Ordering  Axiom 

The  Temporal  Ordering  Axiom  will  formalize  the  Temporal  Ordering  Property.  Suppose 
some  communication  cl.z  must  happen  before  some  c2.y.  Then  Ddcll  <  x  =>  |c2|  <  p). 
This  assertion  captures  ordering  of  communication  events  for  any  channels  cl  and  c2  and 
any  indices  i  and  p,  even  if  z  =  y  or  cl  and  c2  are  the  same  channel.  We  are  interested 
only  in  ordering  of  distinct  events,  so  the  case  in  which  cl.z  and  c2.y  are  produced  by  the 
same  event  (i.e.  z  =  p  and  cl  and  c2  are  the  same  channel)  is  not  of  interest.  Now,  if 
□  (|c2|  <  y  =>  |cll  <  z)  holds  as  well  (with  cl  and  c2  distinct  and  z  ^  p),  then  neither  cl.z 
nor  c2.y  can  ever  occur,  equivalently;  □  (|cl|  <  z  A  |c2|  <  p).  Hence  we  state  the  Temporal 
Ordering  Axiom  as  follows. 

Definition  4.5  (ORDERING)  If  cl  and  c2  are  channels,  z  >  1  and  y  >  0  are  integers, 
and  either  z  y  or  cl  and  c2  are  distinct,  then*® 

□  (|cl|  <  z  o  |c2|  <  y)  =>  □  (|cl|  <  z  A  |c2|  <  y).  B 

Allowing  y  =  0  permits  the  assertion  that  an  empty  chaimel  trace  temporally  precedes  all 
communication  events  on  that  channel.**  Wc  disallow  z  =  y  =  0,  however,  since  this  results 
in  a  pathological  situation  in  which  the  antecedent  of  the  implication  is  trivially  true  but 
the  consequent  is  trivially  false. 

We  now  prove  soundness  of  ORDERING  with  respect  to  our  computational  model. 

Theorem  4.6  (Soundness  of  ORDERING)  If  «  is  a  computation  (recaU  Section  2.1) 
then  K  1=  ORDERING. 

Proof:  See  appendix.  H 
4.4.2  Prefix  Axiom 

To  formulate  an  axiom  for  the  Prefix  Property,  we  introduce  a  more  powerful  version  of 
□  in  which  □  may  be  applied  to  formulas  that  themselves  contain  n’s.  (This  is  the  usual 
linear-time  temporal  logic  interpretation  for  □  [MP82].)  Now,  □  ^  is  valid  for  a  computation 
iff  (f>  is  valid  for  every  suffix  of  that  computation: 

/cl=D0  iff  (K.t,K.(i -I- l),/c.(t  +  2), ...)  1=  for  all  i>0 

Technically,  this  is  an  axiom  scheme  rather  than  an  axiom,  since  substitution  for  meta-symbols  cl,  c2, 
z,  and  y  is  permitted. 

"Suppose,  for  the  sake  of  a  contradiction,  that  c  is  non-empty  in  the  initial  state  of  some  computation 
satisfying  ORDERING.  Then  Odcl  <  r  «  |c(  <  0)  for  some  z  >  1.  However,  □  (|c|  >  0),  so  the  conclusion 
of  ORDERING  does  not  hold. 


When  4>  contains  no  □  operators,  (k.*,/c.(i  +  !),«.(*  +  2),-  ••)  1=  ^  usually  interpreted 
to  be  true  iff  4>  is  true  in  the  first  state,  i.e.  K.i  |=  <f>.  (For  more  detailed  and  rigorous 
discussions  of  the  semantics  of  temporal  operators,  see  e.g.  [MP82,Wid87].) 

The  Prefix  Axiom  can  be  stated  using  □  as  follows. 

Definition  4.7  (PREFIX)  If  c  is  a  channel,  i  >  1  is  an  integer,  and  v  is  a  value  in  the 
data  domain  of  messages,  then 

□  (c.i  —  u  =>  0{c.x  =  v)).  S 

This  axiom  (scheme)  asserts  that  once  a  value  has  been  transmitted  as  c.i,  c.x  remains 
unchanged.  This  is  equivalent  to  the  Prefix  Property  as  stated  in  Section  4.2.'* 

Theorem  4.8  (Soundness  of  PREFIX)  If  /c  is  a  computation  then  k  |=  PREFIX. 

Proof:  Let  k  be  any  computation.  Then  /c  satisfies  condition  C2  (Section  2.1)  and  PREFIX 
follows  directly.  S 

4.4.3  Necessity  and  Sufficiency  of  ORDERING  and  PREFIX 

By  letting  A  =  ORDERING  A  PREFIX,  we  can  prove  that  if  h  is  a  precise  specification 
for  a  network  N  and  02  is  a  valid  specification  for  N,  then  (0<pi  A  0  02  (from  the 

hypothesis  of  Modified  Consequence  Rule  4.4)  holds.  Thus,  ORDERING  and  PREFIX 
sufficient  for  achieving  relative  completeness.  In  addition,  we  will  argue  that  ORDERING 
and  PREFIX  are  necessary — if  either  axiom  is  removed  from  A  then  there  is  a  network  N 
with  precise  and  valid  specifications  0i  and  02  (respectively)  such  that  0  01  and  A  do  not 
imply  □  02. 

We  begin  with  a  key  lemma. 

Lemma  4.9  Let  k  be  any  infinite  sequence  of  states,  k  represents  a  computation  iff 
K  h  ORDERING  A  PREFIX. 

Proof:  See  appendix.  B 

With  this  lenuna  in  hand,  we  can  easily  prove  that  our  two  axioms  are  sufficient  for  relative 
completeness. 

'^A  dilTerent  axiomatix«tion  of  the  Prefix  Property  can  be  given  using  the  “next"  operator  of  temporal 
logic  in  addition  to  □  [WGS87].  The  definition  given  here,  however,  shows  that  the  Prefix  Property  can 
be  encoded  using  only  □  operators.  This  is  of  importance  in  Section  5,  where  we  consider  the  minimal 
expressiveness  required  of  any  trace  logic  used  as  the  basis  of  a  relatively  complete  proof  system. 
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Theorem  4.10  (Sufficiency  of  the  Axioms)  If  is  a  precise  specification  for  network 
N  and  02  is  a  valid  specification  for  N,  then  (□  0i  A  ORDERING  A  PREFIX)  ^  □  02- 

Proof:  We  show  that  any  infinite  sequence  of  states  k  satisfying  □0i»  ORDERING,  and 
PREFIX  also  satisfies  □02-  Since  k  |=  ORDERING  A  PREFIX,  by  Lemma  4.9  we  know 
that  /t  is  a  computation.  By  Definition  3.5  of  preciseness,  since  /c  |=  □  0i  and  0i  is  precise, 

K  e  CS{N).  By  validity  of  02,  every  k  G  CS(N)  satisfies  □  02.  Hence  k  satisfies  □  <h-  ® 

Thus,  with  ORDERING  and  PREFIX,  we  ensure  that  any  valid  network  specification  is 
implied  by  a  precise  specification  for  the  network;  by  Preciseness-Preservation  Theorem  4.3, 
a  precise  network  specification  is  obtsunable  from  precise  specifications  for  the  network  s 
component  processes.  That  ORDERING  Bud  PREFIX  &te  necessary  (as  well  as  sufficient) 
for  the  implication  to  always  hold  is  shown  in  the  following  theorem. 

Theorem  4.11  (Necessity  of  the  Axioms)  There  exist  networks  Nl,  N2,  and  iV3,  with 
precise  specifications  <^>l,  0f,  and  0^  (respectively)  and  valid  specifications  <f>X ,  <t>X,  and 
<I>X  (respectively),  such  that 

1.  ^  ((□0f  A  ORDERING)  =>  □0r); 

2.  -((□0f  A  PREFIX)  =>  a<t>Xy, 

3.  ->  (0  0^  □0^). 

Proof: 

1.  Let  Nl  be  the  example  network  of  Section  4.2. 

2.  Let  N2  be  the  example  network  of  Section  4.1. 

3.  Follows  directly  from  1  and  2.  B 

5  Strengthening  the  Proof  System 

We  have  demonstrated  that  an  axiomatization  of  the  Temporal  Ordering  and  Prefix 
Properties  is  necessary  and  sufficient  for  relative  completeness  of  SNL.  However, 
ORDERING  A  PREFIX  is  not  the  only  way  to  formalize  the  properties  of  computation  that 
must  be  encoded  in  the  logic.  From  the  proof  of  Theorem  4.10,  we  see  that  the  function 
of  ORDERING  and  PREFIX  is  to  characterize  legal  network  computations,  distinguishing 
those  states  that  are  reachable  by  a  computation  from  those  that  are  not.  Thus,  we  are 
interested  in  the  expressiveness  required  of  trace  logics  that  encode  the  notion  of  a  legal 
network  computation. 
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We  formalize  this  requirement  by  analyzing  the  relationship  between  precise  and  valid 
specifications.  Suppose  4)\  is  a  precise  specification  for  a  network  N.  Then,  by  Defimtion  3.5, 
a  state  is  reachable  by  N  iff  it  is  reachable  by  a  computation  that  always  satisfies  <l>\.  Now, 
by  Definition  3.3  of  validity,  a  specification  ^2  *s  valid  for  N  iff  it  is  satisfied  by  every  state 
reachable  by  N.  By  transitivity,  then,  <f>i  is  valid  iff  it  is  satisfied  by  every  state  reachable 
by  a  computation  that  always  satisfies  0i.  That  is: 

Observation  5.1  A  specification  is  valid  for  a  network  iff  it  is  satisfied  by  every  state 
reachable  by  a  computation  that  always  satisfies  a  precise  specification  for  that  network. 

Formalizing  this  observation  results  in  a  relatively  complete  proof  system.  ( One  such  formal¬ 
ization  is  implication  (□<^1  A  A)  ^  0^2  of  Modified  Consequence  Rule  4.4.)  We  establish 
bounds  on  the  expressive  power  required  of  any  trace  logic  that  formalizes  Observation  5.1. 

Let  (f>  range  over  trace  logic  formulas  (i.e.  over  formulas  in  the  specification  language  of 
SNL).  Suppose  K{<j>)  is  a  formula  in  some  logic  L  such  that,  for  any  <f>,  a  state  satisfies  K{<f>) 
iff  the  state  is  reachable  by  a  computation  that  always  satisfies  (p.  Consider  the  following 
Generalized  Consequence  Rule: 

Definition  5.2  (Generalized  Consequence  Rule) 

N  sat  ^1,  K{<l>i)  <f>2 

N  sat  (p2 

where  A'(0i)  =>  <p2  is  &  formula  of  logic  L.  By  Observation  5.1  and  the  definition  of  K{<j>), 
if  <pi  and  02  are  precise  and  valid  specifications,  respectively,  for  N,  then  iif(0i)  =>  <h- 
Therefore,  incorporating  the  Generalized  Consequence  Rule  yields  a  proof  system  that  is 
complete  relative  to  L.  Our  goal  is  thus  to  isolate  the  power  required  of  a  logic  to  express 
formula  K(<p) — a  formula  satisfied  by  exactly  those  states  reachable  by  a  computation  that 
always  satisfies  <f>. 

5.1  Extending  Trace  Logic 

Formula  if  (0)  can  be  expressed  in  an  extended  trace  logic  in  which,  in  addition  to  reasoning 
over  traces  of  individual  communication  channels,  some  explicit  reasoning  over  computa¬ 
tions  is  permitted.  Without  loss  of  generality,  suppose  that  the  communication  channels  of 
all  networks  under  consideration  are  ci,  C2, . . .,  Cm,  and  let  the  data  domain  of  transmittable 
values  be  a  set  V.  Recalling  the  computational  model  of  Section  2.1,  a  state  can  be  repre¬ 
sented  by  a  tuple  t  =  (fi, . . . , <m]  of  charmel  traces,  where  U  is  the  trace  of  c,-,  1  <  »  <  m. 
A  computation  up  to  some  point  in  time  is  represented  by  a  finite  sequence  of  such  tuples: 
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. .  .,F^.  (Since  we  are  interested  only  in  states  reachable  by  computations,  we  need 
not  consider  the  infinite  sequences  representing  full  computations.) 

It  is  not  surprising  that  K{<l>)  can  be  expressed  in  a  logic  that  allows  quantification  over 
finite,  arbitrarily  long,  sequences  of  tuples — the  reachable  states  can  be  explicitly  generated. 
Let 

•  <t>[c/ 1'  ]  denote  SNL  specification  0  with  channel  trace  variables  Ci, . . . ,  Cm  replaced  by 
traces 

•  denote  tuple  t*  with  trace  f*  extended  by  value  v  £  V. 

We  then  define  as  follows. 

Definition  5.3  (Formula  K{<l>)  in  Extended  Trace  Logic) 

•^btl(^)  = 

(3(  t', . . . ,  t"  ) :  Thert  exists  a  sequence  of  states  such  that: 

fO  =  [(),...,()]  A  in  the  first  state  all  traces  are  empty, 

F  =  [ci,...,Cfc]  A 

(Vi:  0  <  i  <  n:  <f>[i /  t*  ])  A  <!>  is  satisfied  in  every  state, 

(Vi:0  <  i  <  n:  and  in  every  pair  of  adjacent  states: 

t*+l  =  t‘  V  either  the  states  are  identical  or 

i3j,  V :  I  <  j  <  m,  V  €  V :  the  second  state  extends  exactly  one  trace 

^  =  t'  /  t)*(v)])))  of  the  first  state  by  exactly  one  element. 

The  free  variables  of  K^ti,{<P)  are  channel  trace  variables  ci,...,Cm<  As  illustrated  by  the 
annotation,  is  satisfied  by  exactly  those  states  reachable  by  a  computation  that 

always  satisfies  <f>.  Therefore,  Definition  5.3  of  Abtl(^)  could  be  used  in  the  Generalized 
Consequence  Rule  to  obtain  relative  completeness. 

5.2  Using  Temporal  Logic 

Linear-Time  Temporal  Logic  (TL)  is  a  formalism  for  reasoning  over  an  implicit  sequence  of 
states  [MP82].  TL  is  less  complicated  and  more  appropriate  than  the  Extended  Trace  Logic 
of  Section  5.1  for  expressing  and  reasoning  with  formulas  such  ^  K{<j>).  As  indicated  by 
the  definitions  of  ORDERING  and  PREFIX  given  in  Sections  4.4.1  and  4.4.2,  however,  full 
temporal  logic  is  more  powerful  than  is  needed  to  express  K{(f>).  We  therefore  introduce  a 

**In  general,  we  use  X[oldlnew]  to  denote  entity  X  with  all  free  occurrences  of  item  old  replaced  by  item 
new. 
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number  of  temporal  operators  that  can  be  used  to  define  subsets  of  TL.  We  then  isolate  a 
TL  subset  that  is  necessary  and  sufficient  to  express  K(<f>)  and  is  appropriate  for  use  as  the 
basis  of  a  relatively  complete  trace- based  proof  system. 

We  begin  with  a  version  of  TL  that  extends  the  trace  logic  of  SNL  with  three  standard 
temporal  operators: 

•  The  Always  operator,  □.  Informally,  nij^  is  valid  iff  TL  formula  ^  is  valid  at  the 
current  point  in  time  and  at  every  point  in  the  future. 

•  The  Next  operator,  o.  Informally,  o  ^  is  valid  iff  TL  formula  ip  is  valid  at  the  next 
point  in  time. 

•  The  UntU  operator,  U.  Informally,  ipi  U  tpi  is  valid  for  TL  formulas  ipi  and  ip2  iff  ip2 
is  valid  either  at  the  current  point  in  time  or  at  some  point  in  the  future,  and  ipi  is 
valid  at  all  points  from  the  current  point  to  the  point  at  which  ip2  becomes  valid. 

(We  omit  the  Eventually  operator,  O,  since  O  is  the  dual  of  □:  for  any  TL  formula  ip, 
O  Ip  ^  ->0-iip  and  ^ip  o  "'□"'V’.) 

TL  formulas  are  interpreted  on  a  network  con»putation  by  considering  a  sequence  of 
states  as  a  description  of  successive  points  in  time.  The  temporal  operators  are  interpreted 
in  the  obvious  way,  according  to  the  informal  descriptions  above  [MP81,MP82).  (See,  e.g., 
the  definitions  for  □  given  in  Section  4.)  Our  original  definition  of  □,  given  in  Section  4.4,  is 
for  trace  logic  formulas  that  do  not  contain  temporal  operators.  In  Section  4.4.2,  we  consider 
a  version  for  formulas  containing  other  n's.  The  weaker  version  of  □  is  used  to  define  the 
Temporal  Ordering  axiom,  while  the  stronger  version  is  needed  to  define  the  Prefix  Axiom. 
In  general,  allowing  nested  temporal  operators  yields  significantly  more  expressive  power 
than  restricting  temporal  operators  to  operate  over  non-temporal  formulas.*®  Hence,  we 
also  consider  use  of  an  additional  set  of  temporal  operators  that  operate  over  trace  logic 
formulas  only: 

•  the  Restricted  Always  operator,  □ 

•  the  Restricted  Next  opeTAtOT,o 

•  the  Restricted  UntU  operator,  U 

**Somt  definitions  of  TL  instead  use  a  Weak  lentil  operator,  in  which  in  need  not  ever  become  vaUd  as 
long  as  is  always  valid.  In  the  context  of  TL,  the  two  versions  of  U  are  expressively  equivalent  [W0I8I]. 

“For  example,  consider  TL  formula  Q(t^i  =>  (D^j  V  which  asserts  that  whenever  i>i  is  valid, 

either  ^2  »•  valid  thereafter  or  i>2  is  valid  at  the  next  point  in  time.  This  property  cannot  be  expressed  using 
temporal  operators  only  over  first-order  formulas. 
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It  is  easy  to  show  that  these  operators  are  strictly  weaker  than  their  fully  temporal  coun¬ 
terparts,  which  we  refer  to  as  Unrestricted  operators. 

We  want  to  isolate  the  TL  subset  that  is  both  necessary  and  sufficient  to  express  formula 
K{4>).  Various  subsets  of  TL  can  be  constructed  by  choosing  different  subsets  of  the  six 
temporal  operators;  for  example,  trace  logic  with  □  and  o  is  a  (strict)  subset  of  TL.  Suppose 
we  give  an  interpretation  for  TL  formulas  in  the  Extended  Trace  Logic  (ETL)  of  Section  5.1, 
i.e.,  we  define  a  mapping  M  from  formulas  in  TL  to  formulas  in  ETL.  Then  we  can  establish 
expressiveness  bounds  by  proving  that  certain  sets  of  temporal  operators  are  required  in 
any  TL  formula  that  is  equivalent  (through  the  mapping)  to  Definition  5.3  of 

Mapping  M  is  derived  directly  from  the  definitions  of  the  temporal  operators.  If  ^tl  is 
any  formula  of  temporal  logic,  then  is  ^  ETL  formula  containing  one  free  variable, 

(T,  which  ranges  over  infinite  sequences  of  tuples  (representing  states).  The  mapping  is 
semantics-preserving,  in  that  a  sequence  a'  satisfies  formula  V’ti-  iff  substitution  [<T/<r'] 
satisfies  formula  AIIV’tlI-*®  Using  such  a  mapping,  TL  formula  V’tl  is  said  to  be  equivalent 
to  ETL  formula  iff  V’stl- 

The  full  definition  of  M  is  given  in  Table  1.  <t  =  ((t.O,  <r.l,  <t-2,  . . .),  and  <T[i..]  denotes  the 
suffix  of  a  starting  at  a.i  (i  >  0).  M  is  defined  inductively  on  the  structure  of  TL  formulas, 
and  parallels  the  usual  interpretation  of  temporal  logic  [MP82].  Note  that  a  mapping  T 
from  TL  terms  to  ETL  terms  is  also  needed.  We  have  onutted  □,  o,  and  U,  since  the 
mappings  for  these  operators  are  identical  to  the  mappings  for  □,  o,  and  U,  respectively. 

To  consider  equivalence  between  Kgtts{<P)  formulas  mapped  from  TL  to  ETL, 
^btl(0)  must  be  redefined  so  that  its  existentially  quantified  sequence  of  states  is  rep¬ 
resented  by  a  free  variable  <r.  Define  iir^(0)  as  follows. 

Definition  5.4  (Modified  K{<l>)  in  Extended  Trace  Logic) 

KA<I>)  = 

(T.O  =  [(),...,()]  A 
(Vt:  0  <  i:  ^[e/<T.t])  A 
(Vi :  0  <  z : 

<T.(z -I- 1)  =  <r.t  V 
( ,  t? :  1  <  y  <  m,  u  e  V : 

<7.(z-|-l)  =  <r.i[(<T.i)j/(<r.z)j-(t;)]))) 

The  correspondence  between  K„{<f>)  and  (Definition  5.3)  should  be  clear.  It  is  easily 

**A  rigorous  proof  of  semantics-preservation  requires  formal  semantics  for  TL  and  ETL.  We  have  avoided 
giving  such  here,  referring  the  interested  reader  to  [MP82,Wid87]. 


18 


Table  1:  Mapping  M.  from  TL  formulas  to  ETL  formulas 


= 

. n^ni) 

p  a  predicate, 

<1, . .  .,t„  TL  terms 

Mlxpi  V  V’zl 

= 

A4l^il  V  Mlip2\ 

ipi  and  ip2  TL  formulas 

= 

^Mlxl>\ 

^  a  TL  formula 

Ml{3x::rP)l 

(34::  A<IV)[a:/A:]J) 

^  a  TL  formula, 

k  a  constant  in  V 

AllaV'I 

= 

(Vi;  0  <  i:  Mlti)\[<T J a{i..\\) 

^  a  TL  formula 

Mlo^l 

= 

Mm[al<r[U\ 

rp  a  TL  formula 

MUiUxi)2\ 

(3i:  0  <  i;  (A4|[Vvlk/<T[i..]])  A 
(Vy :  0  <  j  <  i;  Mlr}}il[(r / a[j..\])) 

ipi  and  V»2  TL  formulas 

rm 

= 

k 

k  a  constant  in  V 

rial 

= 

(<T.0)i 

a  a  variable  in  {ci, . . . ,  c^} 

nm . t„)i 

fiTltil...,rit4) 

/  a  function, 
ti,. .  TL  terms 

verified  (Wid87]  that  for  any  SNL  specifications  and  ^2, 

^  <l>i  iff  =>  (Vi:  0  <  i:  (^2[e/(r.i]). 

By  the  definition  of  K^{<p),  we  see  that  any  TL  subset  that  can  express  K„{<t>)  can  also 
express  (Vi;  0  <  i:  ^2[c/(r.i]).  Therefore,  we  can  revise  the  Generfdized  Consequence  Rule 
to  use  the  equivalent  implication  K„{<pi)  =>  (Vi:  0  <  i:  <^2[^/<T.i]),  adopting  Definition  5.4 
our  measure  of  the  required  expressiveness. 

5.3  Expressiveness  Bounds  for  Relative  Completeness 

We  want  to  determine  which  combination  of  the  six  temporal  operators  defined  in  Section  5.2 
is  necessary  and  sufficient  in  any  formula  such  that  MlK^^(4>)j  o  K^)-  By  the 

defimtion  of  mapping  M  on  formulas  of  the  form  rpi  U  il>2i  and  by  the  fact  that 
contains  no  eventuality  components  of  the  form  (3i:  0  <  i:  /(<r.i)),  we  see  that  operator  U 
is  not  needed  in  any  TL  formula  A’tl(0)  such  that  A41[Atl(<^)I  Similarly,  there 

is  no  need  to  consider  operator  U.  Therefore,  the  TL  subsets  of  interest  correspond  to  the 
subsets  of  {□,  0,  □,  o}.  The  partial  ordering  of  the  expressive  power  of  these  subsets  is  given 
in  Fig.  4. 

For  each  non-empty  subset  5  in  Fig.  4,  let  Tr5  denote  the  trace  logic  of  SNL  extended 
to  include  the  operators  in  S.  For  example,  subset  4  of  Fig.  4  is  denoted  by  Ttq  and 
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Figure  4;  Temporal  logic  subsets  and  expressiveness  bounds 

subset  8  by  Tt^q,  We  prove  that  Ttq  has  the  necessary  and  sufficient  expressive  power  to 
encode  Ka((j>).  We  show  that  Ttq  is  sufficient  by  using  trace  logic  with  Unrestricted  Always 
operators  (only)  to  write  a  formula  equivalent  to  K^{<f>).  (Not  surprisingly,  this  formula  is 
based  on  axioms  ORDERING  and  PREFIX.)  We  then  prove  that  the  subset  is  an  absolute 
lower  bound:  each  subset  lower  than  or  incomparable  to  Ttq  (subset  4)  in  the  hierarchy  of 
Fig.  4  is  not  expressive  enough  to  encode  K„{<i>).  This  is  proven  by  showing  that  no  formula 
equivalent  to  A’<,(0)  can  be  expressed  in  Tt^q  (subset  8).  Consequently,  all  subsets  except 
4,  7,  and  9  are  insufficient.  The  resulting  division  of  the  subset  hierarchy  is  shown  in  Fig.  4. 

5.3.1  Sufficiency 

We  give  a  formula  Ko{<l>)  in  Tto  such  that  MlKa{<t>)l  o  KM)' 

Definition  5.5  (Formula  Kl^4>)  in  SNLq) 

Ku{<t>)  = 
n4>  A 

(Vi,  j, r, y :  1  <  I  <  m,  l  <  j  <  m,  1  <  1, 0  <  y, i  ^  y  V  x  ^  y: 

□  (|Ci|  <  z  <»  |cy|  <  y)  =>  Ddcil  <  z  A  |cjl  <  y))  A 
(Vi,  z,  V :  1  <  i  <  m,  1  <  z,  u  G  V: 

0(ci.x  =  V  ^  □(c<.r  =  u))) 
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The  first  conjunct  of  Ka{<f>)  restricts  state-sequences  satisfying  Kai<l>)  to  always  satisfy 
(l>.  The  second  and  third  conjuncts  encode  the  Temporal  Ordering  and  Prefix  Properties, 
restricting  st^.: e-sequences  satisfying  Ka{<i>)  to  represent  computations. 

Theorem  5.6  A<l[iiLa(^)| 

Proof:  See  appendix.  S 

Thus,  the  expressive  power  of  Tto  is  sufficient  to  encode  a  formula  equivalent  to  K„{4>). 
5.3.2  Necessity 

We  now  show  that,  with  respect  to  our  hierarchy  of  TL  subsets,  Ttq  is  necessary  to  encode 
Ka{<l>) — any  TL  subset  weaker  than  or  incomparable  to  Tto  cannot  be  used  to  express  a 
formula  equivalent  to  Ka{(t>).  This  requires  proving  that  no  formula  equivalent  to  can 

be  expressed  in  Tt^q. 

First,  we  prove  a  key  lemma,  that  there  is  no  formula  in  Tt^q  such  that 
and  Ka{true)  are  satisfied  by  the  same  set  of  substitutions  for  free  variable  a.  (Note  that 
true  is  an  SNL  specification  satisfied  by  every  network.)  The  final  result — that  there  is  no 
formula  ^ao  ^  — then  follows  directly.  To  prove 

that  there  is  no  formula  in  Tr^Q  such  that  and  K^ritrue)  are  satisfied  by 

the  same  set  of  substitutions,  we  show,  for  every  potential  V’do»  that  there  is  some  state- 
sequence  a'  such  that  either  AflV’gbIik/<^1  not  K„(true)[a / (t%  or  K„(tTue)[<T ! <r']  but 
not 

Informally,  the  argiunent  proceeds  as  follows.  For  every  V’qq  there  is  some  n  >  0 

(n  is  the  nesting  depth  of  Next  operators  in  V’oo)  that  Afl^ool  can  refer  to  states  of 
<T  beyond  <r.n  only  by  universal  quantification  (resulting  from  Restricted  Always  operators 
in  V’qo)-  ^  state-sequences  a'  satisfy  Afl0QoI[<r/<r'],  or  the  on>y  satisfying  sequences 
have  all  repeated  states  beyond  <r'.n,  then  it  is  straightforward  to  construct  a  sequence  a" 
such  that  K„{true)[(r ! a"]  but  not  j o"].  Otherwise,  we  construct  a  sequence  <r" 

that  does  not  represent  a  computation  due  to  an  irregularity  beyond  state  <r".n  (e.g.  the 
length  of  a  trace  decreases  from  one  state  to  the  next).  K„{true)[<T !  cr"\  does  not  hold,  since 
<t"  does  not  represent  a  computation;  however,  .Ml^noK^r/tr"]  does  hold,  as  long  as  a"  is 
constructed  by  rearranging  states  from  a  sequence  <t'  know  to  satisfy  Ad|V’Qol[<^/‘^1* 

Lemma  5.7  For  any  formula  V’oo  >*1  there  exists  a  state-sequence  <r'  such  that  either 
and  not  K„{true)[a ! <r'\,  or 
K„(true)[(T j <t'\  arid  not 
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Proof:  See  appendix.  H 


Theorem  5.8  There  is  no  formula  in  Tr^^  such  that  AllA'po(<A)I  Ka(<f>)- 

Proof:  Consider  an  arbitrary  formula  K-^q{4>)  in  Tr^Q.  M\K-QQ{<t>)\  K„{<i))  iff  for  all 

trace-logic  formulas  (t>  and  state-sequences  <r':  MiK-^Q{4>yi[(r  j a']  iff  AV(^)[<T/<r'].  Suppose 
((>  =  true.  By  Lemma  5.7,  there  exists  a  state- sequence  ff'  such  that  either 
M\K-^Q{true)\[(T !  <t'\  and  not  Ka{tTue)[ff  j  a']  or  K„(true)[a !  <t'\  and  not 
M\K-^Q[true)\[a ! a'].  Hence  MlK^Q{true)l  ^  A'„(<rue)  and  consequently 

a 

This  result  can  be  strengthened  by  refining  the  subset  hierarchy.  Rather  than  distin¬ 
guishing  only  between  Restricted  auA  Unrestricted  temporal  operators — operators  that  may 
be  nested  zero  or  arbitrarily  many  times,  respectively — consider  an  infinite  set  of  temporal 
operators  based  on  allowable  nesting  depth.  For  any  z,0<x<oo,  letD*  denote  a  version 
of  □  restricted  to  operate  over  formulas  with  at  most  x  nested  n’s;  similarly  define  operator 
Oj.  From  these  infinite  sets  of  temporal  operators  we  obtain  an  infinite  hierarchy  of  TL 
subsets.  Given  the  results  of  Sections  5.3.1  and  5.3.2,  it  is  easy  to  show  that,  with  respect  to 
this  refined  subset  hierarchy,  Ttqj  is  necessary  and  sufficient  to  express  a  formula  equivalent 
to  KM)  [Wid87]. 

6  Hierarchically  Structured  Networks 

Thus  far,  we  have  restricted  attention  to  networks  constructed  directly  from  primitive  pro¬ 
cesses.  A  hierarchically  structured  network  is  a  network  in  which  the  component  processes 
may  be  either  primitive  processes  or  sub-networks.  For  simplicity,  assume  that  all  process 
and  channel  names  are  unique  throughout  the  hierarchy.  Our  model  and  proof  system  easily 
generalize  to  such  hierarchically  structured  networks;  our  results  remain  unchanged. 

Recall  from  Section  2  that  our  model  of  network  computation  is  compositional — the  set 
representing  the  behavior  of  a  network  can  be  constructed  from  the  sets  representing  the 
behavior  of  the  network's  component  processes.  To  adapt  this  model  for  hierarchically  struc¬ 
tured  networks,  we  construct  the  set  representing  the  behavior  of  a  network  by  inductively 
applying  the  construction  to  the  network’s  components  (assuming  that  the  sets  for  the  base 
processes  are  given).  Internal  channels  of  a  process  implemented  as  a  sub-network  can  be 
hidden  by  simply  eliminating  all  traces  of  the  process’s  internal  channels  when  constructing 
the  set  for  the  network. 

No  modifications  to  the  SNL  inference  rules  are  needed  for  hierarchically  structured 
networks.  If  a  component  process  is  implemented  as  a  sub-network,  the  proof  system  itself 
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is  used  to  verify  a  specification  for  the  sub-network.  Furthermore,  by  inductive  application  of 
Preciseness  Preservation  Theorem  4.3,  from  precise  specifications  for  base  processes,  precise 
specifications  for  networks  at  any  level  of  a  hierarchy  can  be  obtained.  Thus,  our  assumption 
regarding  availability  of  precise  specifications  for  a  network’s  component  processes  remains 
valid.  Finally,  if  one  wishes  to  simplify  specifications  by  hiding  the  existence  of  internal 
channels  in  component  sub-networks,  this  can  be  done  using  Consequence  Rule  3.2. 

Since  our  model  and  proof  system  adapt  directly  to  hierarchically  structured  networks, 
it  should  be  clear  that  our  fundamental  results  regarding  expressiveness  and  completeness 
are  still  valid.  In  fact,  all  definitions,  examples,  lemmas,  and  theorems  of  Sections  4  and  5 
are  left  unchanged. 

7  Conclusions 

We  have  considered  a  simple  trace-based  proof  system  for  networks  of  processes,  SNL, 
with  a  specification  language  and  inference  rules  similar  to  those  in  most  trace-based  sys¬ 
tems  [Bro84,CH81,HH83,Hoa85,Jon85,MC81,NDG086,Zwi88].  Through  examples  that 
are  single-process  networks,  we  showed  that  SNL  is  incomplete  because  it  is  not  expressive 
enough  to  encode  properties  of  computation  that  are  needed  to  verify  certain  valid  net¬ 
work  specifications.  We  then  showed  that  axiomatuation  of  Temporal  Ordering  and  Prefix 
Properties  is  necessary  and  sufficient  to  achieve  relative  completeness.  The  Temporal  Or¬ 
dering  and  Prefix  Axioms  characterize  legal  network  computation;  thus,  we  investigated 
the  expressiveness  needed  in  auiy  relatively  complete  system  by  considering  logics  that  can 
perform  this  function.  We  found  that  the  power  of  an  unrestricted  temporal  logic  Always 
operator  is  an  upper  and  lower  boimd. 

Since  the  expressive  power  of  the  Always  operator — or  of  Temporal  Ordering  and  Prefix 
Axioms — is  an  essential  component  of  a  relatively  complete  proof  system,  it  is  interesting 
to  look  at  existing  complete  systems  and  identify  how  this  expressive  power  is  encoded.  No 
encoding  is  needed  in  [NDG086j,  since  the  proof  system  is  based  directly  on  temporal  logic. 
However,  as  we  have  shown,  the  full  power  of  temporal  logic  present  in  that  proof  system  is 
not  necessary  for  proving  safety  properties.  Several  proof  systems  allow  explicit  reasoning 
over  all  possible  computations  [Bro84,HH83,ZdRvEB85],  as  in  the  Extended  Trace  Logic 
of  Section  5.1.  As  we  have  seen,  this  gives  at  least  the  expressive  power  of  temporal  logic, 
since  the  states  of  every  computation  can  be  directly  and  individually  referenced. 

In  [ZdRvEB85],  the  incompleteness  of  the  proof  system  in  [MC81]  is  discussed  and  a  rule 
is  suggested  that  would  render  it  relatively  complete.  (A  similar  rule  is  proposed  in  [Ngu85].) 
Informally,  the  rule  asserts  the  following:  Let  ^  be  a  valid  specification  for  a  network  fV, 
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and  let  r  be  an  interleaved  trace  of  all  communication  events  during  any  computation  of 
N.  Then  every  prefix  of  t  satisfies  <f).  This  rule  certainly  captures  our  Prefix  Property. 
The  Temporal  Ordering  Property  is  encoded  as  well.  To  see  this,  suppose  specification 
(p  constrains  two  communication  events  cl.x  and  c2.y  to  occiu  simultaneously.  Any  trace 
r  including  only  one  of  cl.z  and  c2.y  will  not  satisfy  <f>  and  thus  cannot  correspond  to  a 
computation  of  N.  Suppose,  then,  that  both  events  are  included  in  r.  Consider  any  prefix 
t'  C  T  that  contains  one  event  but  not  the  other  (such  a  prefix  must  exist).  Then  r'  will 
not  satisfy  <p,  since  only  one  of  cl.z  and  c2.y  appears  in  t'-  Hence  no  computation  of  N 
can  include  either  event. 

In  [Jon85],  the  fact  that  valid  specifications  do  not  always  follow  from  precise  specifica¬ 
tions  is  identified,  but  no  actual  solution  is  proposed.  The  author  suggests  adding  a  proof 
rule  of  the  form: 

N  sat  (f>\ 

N  sat  <f>2 

which  can  be  applied  whenever  <t>\  and  are  such  that  any  network  that  always  satisfies 
<t>\  will  also  always  satisfy  No  formal  method  is  gi\en,  however,  for  determining  when 
a  pair  of  specifications  is  a  candidate  for  application  of  the  rule.  Our  work  has  exactly 
characterized  those  pairs  that  qualify  and  has  isolated  the  expressiveness  required  of  a  logic 
that  can  recognize  them. 

Appendix 

Theorem  3.4  (Soundness  of  SNL)  Let  N  be  a  network  and  <p  a  specification  such  that 
N  sat  0  is  a  theorem  of  SNL.  Then  <p  is  valid  for  N. 

Proof:  Since  we  are  assuming  validity  of  process  specifications,  soundness  requires  showing 
that  whenever  the  hypothesis  of  an  SNL  inference  rule  is  valid,  so  is  the  conclusion. 

•  Network  Composition  Rule  3.1: 

Pi  sat  <Pi,  Pn  sat  <pn 
Pill.-.1|P„  sat  /\i(pi 

Assume  each  (pi  is  valid  for  Pj,  so  n.j  |=  (pi  for  all  k  G  CS(Pi)  and  j  >  0.  We  must 
show  that  K.j  \=  Ai  (pi  for  aU  K  6  CS(N)  and  j  >  0,  where  TV  =  Pi||  •  •  •  ||P„.  RecaU 
that  Proj(K,  P.)  denotes  the  projection  of  k  onto  those  chatmels  of  TV  incident  to  Pi- 
Consider  an  arbitrary  conjunct  <pi,  an  arbitrary  k  g  CS(TV),  and  an  arbitrary  j  >  0. 
By  the  definition  of  CS(iV)  (Section  2.1),  Ptoj{k,  Pi)  G  CS(P<);  hence,  by  assumption. 
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Proj(K,  Pi).j  \=  <f>i.  Therefore,  K.j  |=  4>i  as  well,  since  the  traces  that  are  removed 
from  K  in  the  projection  cannot  be  for  chaimels  mentioned  in  <j>i.  Since  k,  j,  and  4>i 
were  chosen  arbitrarily,  we  conclude  that  K.j  |=  Ai  for  all  /t  G  CS{N)  and  j  >  0. 
Thus  Ai  <Pi  is  valid  for  N. 

•  Consequence  Rule  3.2: 


N  sat  (pi,  <f>i  =>  <j>2 
N  sat  (f>2 

Let  01  be  vaUd  for  N,  so  K.j  \=  0i  for  all  k  6  CS(N)  and  j  >  0.  Then,  by  0i  =>  02 
and  predicate  logic,  K.j  |~  02  for  all  «  6  CS{N)  and  j  >  0.  Thus  02  is  valid  for  N . 

Theorem  4.3  (Preciseness-Preservation)  Let  4>i  be  a  precise  specification  for  P,, 

1  <  i  <  n,  and  let  ;v  =  Pi  II  • .  •  ||P„.  Then  A<  <f>i  is  a  precise  specification  for  N . 

Proof:  We  must  show  that  A«  4>i  satisfies  both  parts  of  Defimtion  3.5  of  precise  specifica¬ 
tions. 

1-  {Ai4>t  is  valid  for  N.)  Since  the  4>i  are  precise  specifications  for  their  respective  Pi, 
they  are  valid.  That  Ai  is  then  valid  for  N  was  proven  in  Soundness  Theorem  3.4. 

2.  (If  K  is  any  computation  containing  traces  for  the  channels  in  iV ,  and  K.j  1=  At 

for  all  j  >  0,  then  k  €  CS{N).)  Consider  any  k  containing  traces  for  the  channels 

in  N  in  which  K.j  |=  Ai<^»  all  y  >  0.  Recall  that  Proj{K,Pi)  denotes  the  projec¬ 
tion  of  k  onto  tho?3  channels  of  N  incident  to  Pi.  Since  K.j  |=  At  all  y  ;;  0, 
Proj(K,Pi).j  1=  0i  for  aU  y  >  0  and  1  <  t  <  n.  Thus,  by  the  preciseness  of  the  0i, 
Proj(K,Pi)  €  CS{Pi),  1  <  i  <  n.  Then,  by  the  definition  of  CS(Pi||  •  •  •  ||Pn)  (Sec¬ 
tion  2.1),  K  e  CS{N).  H 

Theorem  4.6  (Soundness  of  ORDERING)  If  /c  is  a  computation  then  k  |=  ORDERING. 

Proof:  Let  k  be  any  computation  and  suppose  that  the  antecedent  of  ORDERING  holds: 
K  1=  □(lcl|  <  I  o  |c2|  <  y)  for  some  *  >  1,  y  >  0.  We  prove  by  induction  that  each 

state  of  K  satisfies  (|cl|  <  z  A  |c2|  <  y),  so  k  |=  □(|cl|  <  z  A  |c2l  <  y)  and  therefore 

AC  1=  ORDERING. 

Base  Case:  We  show  that  ac.O  satisfies  (|cl|  <  z  A  |c2|  <  y).  From  z  >  1  and  computation 
condition  CCl  (Section  2.1),  ac.O  satisfies  (cl|  <  z.  Then,  by  the  antecedent  of  ORDERING, 
AC.O  also  satisfies  |c2|  <  y.  Thus  ac.O  satisfies  (|cl|  <  z  A  |c2|  <  y). 
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Induction:  Suppose  that  K.{i  -  1)  satisfies  (|cl|  <  x  h  \c2\  <  y)  for  some  t  >  0.  We  show 
that  K.i  satisfies  (|cl|  <  i  A  (c2(  <  y).  Assume,  for  the  sake  of  a  contradiction,  that  K.i 
satisfies  (|cl|  >  *  v  |c2|  >  y).  Then,  by  the  antecedent  of  ORDERING,  K.i  also  satisfies 
(lcl|  >  x^\c2\  >  y).  Since  K.(t- 1)  satisfies  (|cl|  <  iA|c2|  <  p),  if  cl  and  c2  are  distinct  then 
two  channel  traces  change  between  /c.(i  —  1)  and  K.i,  contradicting  computation  condition 
CC4  (Section  2.1).  If  cl  and  c2  are  the  same  channel,  then  x  ^  y,  &  charmel  trace  increases 
in  length  by  more  than  one  between  /c.(i  -  1)  and  K.i,  and  condition  CCS  is  contradicted. 
Hence  K.i  satisfies  (|cl|  <  *  A  lc2|  <  y)  and  the  induction  is  complete.  0 

Lemma  4.9  Let  k  be  any  infinite  sequence  of  states,  k  represents  a  computation  iff 
K  1=  ORDERING  A  PREFIX. 

Proof:  [=►]  (If  K  represents  a  computation  then  k  |=  ORDERING  A  PREFIX.)  This 
follows  directly  from  soundness  of  ORDERING  and  PREFIX  (Theorems  4.6  and  4.8). 

[<^]  (If  K  1=  ORDERING  A  PREFIX  then  k  represents  a  computation.)  We  prove  the 
contrapositive:  If  k  does  not  represent  a  computation,  then  k  ^  ORDERING  A  PREFIX. 
By  the  definition  of  a  computation  (Section  2.1),  if  k  does  not  represent  a  computation  then 
K  satisfies  -.(CCl  A  CC2  A  CC3  A  CC4).  Formula  --(CCl  A  CC2  A  CC3  A  CC4)  can  be 
rewritten  as 

(■-CC2)  V  (CC2  A  -iCCl)  V  (CC2  A  -.CC3)  V  (CC2  A  CCS  A  -.CC4).  (6) 

We  show  that  if  k  satisfies  any  of  the  disjuncts  in  (6),  then  k  does  not  satisfy  both 
ORDERING  and  PREFIX. 

1.  K  does  not  satisfy  CC2:  Some  trace  in  some  state  is  not  a  prefix  of  the  corresponding 
trace  in  the  subsequent  state.  Therefore  PREFIX  does  not  hold. 

2.  K  satisfies  CC2  but  not  CCl:  Some  trace  is  non-empty  in  the  initial  state,  so  let 
|c|  =  I  in  K.O  with  z  >  1.  Since  CC2  holds,  k  satisfies  Ddcl  >  z)  and  therefore 

□  (|c|  <  z  |c|  <  0).  However  k  does  not  satisfy  □  (jcl  <  z  A  |c|  <  0),  so  ORDERING 
does  not  hold. 

3.  K  satisfies  CC2  but  not  CC3:  Some  trace  increases  in  length  by  more  than  one  between 
states,  so  let  |c|  =  z  in  some  K.i  and  |cl  =  z  -I-  y  in  K.(i  +  1),  with  p  >  1.  Since 
CC2  holds,  K  satisfies  adcj  <  z  -1-  1  Icj  <  z  -I-  p).  However  k  does  not  satisfy 

□  (|c|  <  z  +  1  A  |c|  <  z  -t-  p),  so  ORDERING  does  not  hold. 

4.  K  satisfies  CC2  and  CC3  but  not  CC4:  More  than  one  trace  changes  between  some 
state  and  its  subsequent  state,  so  let  |cll  =  z  and  |c2(  =  p  in  some  K.i,  and  let 
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lcl|  =  1  +  1  and  |c2|  =  j/  +  1  in  K.(i  +  1).  Since  CC2  holds,  k  satisfies  odcll  < 

!  +  !<:>  |c2|  <  p  +  1).  However  k  does  not  satisfy  □  (|cl|  <  x  +  1  A  |c2|  <  y  +  1),  so 
ORDERING  does  not  hold.  H 

Theorem  5.6  MlKai(l>)}  o  KM)- 

Proof:  Proving  M\Ka{<t>)\  <=>  Ka{<t>)  requires  showing  that  for  all  trace  logic  formulas  4> 
and  state-sequences  <t',  M\Ka[4>)\W ! First,  applying  the  definition  of 
M,  we  obtain*^ 

MlKam  = 

(Vi:  0  <  i:  <f>[il(r.i  ])  A 

I  <  i  <  m,l  <  j  <  m,l  <  x,0  <  y^i  jt  j  V  x  ^  y: 

(Vfc:  0  <  A::  |(a.A;)i|  <  x  <;>  <  v) 

(Vifc:  0  <  A::  |(tr.A:)j|  <  x  A  |(<t.A:)_,|  <  y))  A 
(Vi,x,v:  I  <  i  <  m,l  <  x,v  €  V: 

(Vk:  0<k:  (((T.k)i.x  =  v)  ^  (V/:  0  <  /:  ia.{k  +  l))i.x  =  v))). 

Now  consider  an  arbitrary  trace-logic  formula  ^  and  state-sequence  a'. 

(=>]  If  MlKa{<t>)\[orl<T']  then  KM)WI<^']’ 

We  prove  the  contrapositive:  the  falsity  of  K„(<(>)[<t  !  ff']  implies  the  falsity  of  M\,Ka(<p)W<r  j  a']- 
Suppose  KM)Wl<^'\  *8  false,  and  consider  the  three  conjuncts  of  KM)-  ’^1^®  second  con¬ 
junct  of  Kff{<l>)  is  identical  to  the  first  conjunct  of  Therefore,  if  the  second 

conjunct  of  KM)Wl<f'\  1®  false  then  M\Ka{(t>)l[(T ! (r']  is  also  false.  Suppose  the  first  or 
third  conjunct  of  A’„(0)[<T/<r']  is  false.  Then  some  trace  in  the  initial  state  of  <r'  is  non¬ 
empty  or  some  subsequent  state  does  not  extend  at  most  one  trace  of  the  preceding  state 
by  at  most  one  element,  i.e.  <t'  does  not  represent  a  computation.  Note  that  the  second 
and  third  conjimcts  of  are  derived  directly  from  the  Temporal  Ordering  and 

Prefix  Axioms,  and  recall  Lemma  4.9:  a  state- sequence  k  represents  a  computation  iff 
K  h  ORDERING  A  PREFIX.  Therefore,  if  a'  does  not  represent  a  computation,  then  the 
second  or  third  conjunct  of  M\Ka{(i>)\[c  j <t']  is  false.  We  have  considered  all  three  conjuncts 
of  K„{<f>),  so  we  conclude  that  if  is  false  then  A4|Kq(<^)1[<7/ <r']  is  also  false,  hence 

M\KQ(<f>)\[(r ! <t']  implies  KM)WI<^']- 

[^]  If  KM)Wl<r'\  then  M\KM)\[<t j 

'^To  understand  the  first  conjunct,  note  that  for  any  non-temporal  formula 
MU\  =  4>[ci . c„/(o.0)» . (<T.0)«]  =  d(f/<T.O]. 
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We  must  show  that  each  of  the  three  conjuncts  o(  MlKo{<t>)l[(T J o']  foUows  from  KM)WI<r']- 
The  first  conjunct  of  M\Ka{<t>)\[<T / a']  is  identical  to  the  second  conjunct  of  K„{(f>)[a ! c'] 
and  therefore  follows  directly.  The  second  and  third  conjuncts  of  M\Ku{(t>)\  encode  axioms 
ORDERING  and  PREFIX,  respectively.  By  the  definition  of  if  iCr(0)[<T/o']  then 

a'  must  represent  a  computation.  Recall  from  Theorems  4.6  and  4.8  that  ORDERING 
and  PREFIX  are  sound,  i.e.  if  <r'  represents  a  computation  then  <t'  )=  ORDERING  A 
PREFIX.  Therefore,  if  Kt,{<f>)[a / (r']  then  represents  a  computation  and  consequently 
satisfies  the  second  and  third  conjuncts  of  A4fA'a(0)]l.  Since  each  of  the  three  conjuncts 
of  MlKa{4t)\[(T / a']  follows  from  we  conclude  that  K^{<)>)[a J a']  implies 

!  a'].  H 

Lemma  5.7  For  any  formula  in  Tt^q,  there  exists  a  state- sequence  <r'  such  that 
either 

and  not  Ka{true)\<T j a%  or 
K„{tTue)[a ! ff']  and  not  /a']. 

Proof:  To  prove  this,  we  will  need  to  consider  the  nesting  depth  of  Next  operators  in 
formulas  of  Tt^q.  For  any  formula  tPao  in  Tt^q,  let  o-nestinff(i/)^Q)  denote  the  maximum 
nesting  of  Next  operators  in  V’qo*  (for  example,  o-nesting{o  {<f>i  v  o  ^))  =  2.)  Since  every 

formula  has  only  a  finite  number  of  o’s,  o-ncjttnp(V>go)  ^  well-defined  non-negative 
integer. 

Now,  consider  an  arbitrary  ^’□0  in  Tr^^,  and  let  n  =  o-nestingiip^^).  Three  cases  must  be 
considered.  Case  3  is  the  general  case,  in  which  we  use  a  a'  known  to  satisfy  A4  JV’ool 
struct  a  a"  such  that  M.\i}}-qq\\(tI<P']  holds  but  K^(tTue)\ff / or"]  does  not.  a"  is  constructed 
by  rearranging  states  of  <t'  beyond  state  a'.n  so  that  K^{true)[e f <t"\  is  false.  However, 
follows  from  A4|V’aol(<r/<T')  since  MJV’obl  ^0  states  beyond  a.n 

only  by  umversal  quantification.  Cases  1  and  2  cover  the  situations  in  which  there  is  no  a' 
satisfying  or  every  such  <r'  has  only  repeating  states  after  state  a'.n. 

Case  1.  There  is  no  a'  such  that  / o']’. 

We  must  then  show  that  there  is  some  <t'  such  that  Kr{tTue)[<j j cr'\.  One  such  <t'  is  the 
state-sequence  in  which  every  channel  trace  is  always  empty: 

[0 . 01. 10 . 01,...) 

is  false,  since  there  there  is  no  a'  such  that  A4|V’5oJI<T/<r'],  but,  by  Defini¬ 
tion  5.4  of  K„{<j)),  K„(true)\a I <t’]  is  true. 
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Case  2.  There  exists  a  <r'  such  that  j a'\  and  every  such  or'  has  only  repeating 

states  after  state  o'.n.  (Recall  that  n  =  o-nestingiil}-^^),  so  n  >  0.)  That  is,  for  every  <t' 
such  that  and  every  i  >  n,  a’.i  =  a'.{i  -  1): 

Consider  an  arbitrary  <r'  such  that  j cr'\.  If  Ka{true)[cr / ff']  is  false,  we  are  done. 

Suppose,  then,  that  K„{true)[<T j <r']  is  true.  Construct  a"  from  a'  by  extending  one  trace 
by  one  element  between  states  <r'.n  and  <r'.(n  +  1): 

~  ( <r'.0,  <r'.l,  . . . ,  <r'.n,  <r'.n[(<T'.n)i  /  (<T'.n)i  •  (v)],  . . . ) 

for  an  arbitrary  v  £  V.  false,  since  (T".{n  +  1)  (r".n.  But,  by 

K„{true)[<r  j <t'\  and  the  definition  of  K„{<f>),  K„{tTue)[<T / a"]  is  true. 

Case  3.  There  exists  a  a'  such  that  I<t'\  and  c'  has  a  non-repeating  state  after 

<T'.n  (i.e.  (r'.i  ^  -  1)  for  some  i  >  n): 

Consider  such  a  <r',  and  consider  the  smallest  i  >  n  satisfying  cr'.i  ^  (r'.(»  —  1).  By  definition, 

o'  ~  ( tr'.O,  o'. I,  . . , ,  <r'.n,  o-'.(n  -1-1),  . . . ,  (T'.{i  -  1),  <r'.i,  . . . ) 

such  that  for  all  I;,  n  <  I:  <  i,  <r'.fc  =  <r'.n,  but  a'.i  ^  a'.n.  If  Ka(tTue)[o ! o']  is  false,  we 
are  done.  Suppose,  then,  that  K„{true)[o ( o'\  is  true.  Since  a'.i  a'.n,  there  must  exist 
a  j  and  a  v,  1  <  y  <  m,  v  6  V,  such  that  a'.f  =  o'.n\(o'.n)j  /  (o'.n)j  •  (v)].  Let  o"  be 
constructed  from  a'  by  repeating  state  a'.n  and  inserting  a  copy  of  state  a'.i  between  the 
repetition: 


o"  =  (  a'.O,  (t'.I,  a'.n,  a'.i,  a'.n,  a'.{n  -I-  1),  a'.(n  -I-  2),  . .  • ) 

Note  that  a".(n  -f  1)  =  a'.i  and  a".(n  -I-  2)  =  a'.n.  Let  x  be  the  index  of  the  last  element  in 
channel  trace  (a".(n  -I-  l))j.  (We  know  (a".(n  -i- 1))^  is  non-empty  since  a".(n  -i- 1)  =  a'.i  - 
a'.n[ia'.n)j  /  (a'.n),  •  (v)|.)  K4true)[a/  a"]  is  false  because  its  third  conjunct  is  contradicted 
(recaU  Definition  5.4):  (a".(n  -|- 1))^.*  =  (a'.t),.i  =  v,  but  (a".(n -t-  2)),.x  =  (a'.n),.x  is 
undefined.  Therefore,  by  showing  M\tl):^\{a  j  a"],  the  proof  is  complete. 

Recall  that  we  are  assuming  Ad|[V’Q^oI(a-/a'].  We  prove  A^I^goIfa/a"]  by  structural  induc¬ 
tion  on  V’oo- 

Base  Case: 

•  '^ao  -  P(^i>'--ifn):  No  temporal  operators  can  appear  in  p(fi,...,<n)>  so  by  the 
definition  of  M  (Table  1),  the  only  references  to  o  in  A4[p(fi,...,<„)I  are  references 
to  a.O.  Since  a".0  =  a'.O,  M\il)-QQ\[a ! a"]  follows  from  A4[V'qo1(<t/<t']. 
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Induction: 


•  'i’ao  =  V'l  V  ip2-  By  A11[0Qo]][<r/<r']  and  the  definition  of  M,  or 

M\tl}^[<T ! c'\.  If  M\ri)\\[a ! a'\,  then  by  the  induction  hypothesis,  / (t"]. 

If  ! ff'],  then  by  the  induction  hypothesis,  M\rl)7l[<r ! ff"]-  Therefore 

! a"]  or  M\x{)2\[a j a"\  and  consequently  V 

•  ^Do  ~  definition  of  M,  Allt^lk/<r']  is  false.  Then 

by  the  induction  hypothesis,  M\iI}\[(t / e"]  is  false.  Therefore  M\-'rp'\[<T ! <r"]. 

•  V’ao  =  (3*::  By  A^IV’aoIk/<^1  definition  of  Af,  there  exists  a  r  6 

such  that  M\tl)[xlv\\[ala'].  Then  by  the  induction  hypothesis,  there  exists  a  t;  G  V 
such  that  M\tl}[xlv]\[iTla"\.  Therefore  M\{3x:: 

•  ^Qo  ~  We  know  Al|[  □  Therefore,  by  the  definition  of  A<  and  sub¬ 

stitution,  Mlxj}\[<T ! a'[i..]\  for  all  i  >  0.  Since  □  is  the  restricted  version  of  Always,  ip 
contains  no  temporal  operators.  Thus  the  only  references  to  a  in  M\ip\  are  references 
to  <r.0,  and  consequently  AlIV’l[<r/[<T'[i..)]  is  equivalent  to  MlipWa-^lcr' A-  Now,  by  the 
definition  of  a",  for  all  <T".k,  Jb  >  0,  there  exists  some  a'.i,  t  >  0  such  that  a".k  =  a'.i- 
Therefore,  Al|V»|(<r.0/<r".)b]  for  all  Jl*  >  0  follows  from  M\ip\[(J.^ ! <r' A  for  all  »  >  0. 
Hence  Mlip\[a l[<T"[k..\]  for  all  ifc  >  0  and  MlUip\[(T ! (r"\. 

•  V’qo  =  o  Ip:  We  know  M\oip\[<Tl<r'\.  Since  o-nesting{o  ip)  <  n,  by  the  definition  of 
M  every  occurrence  of  a  in  Mloipl  is  either 

1.  a.k,  for  some  0  <  ifc  <  n,  resulting  from  at  most  n  nested  Next  operators,  or 

2.  <r.(k  -i-  *),  for  some  some  universally  quantified  i  and  some  0  <  k  <  n,  resulting 
from  a  □  operator  nested  within  at  most  n  o  operators.  (No  temporal  operators 
can  be  nested  within  □,  since  □  operates  only  over  non-temporal  formulas.) 

We  need  to  show  M.\oip\[ol<r"\.  Since  M\oiP\[<tI<t'].,  we  can  prove  M\oip\[<Tlff'*\  by 
showing  that  substitutions  [(r/cr']  and  (<r/(r"]  yield  the  same  values  for  all  occurrences 
of  a  in  A(lo0|.  Consider  the  two  types  of  occurrences  of  <7,  as  defined  above: 

1.  (T.Jfc,  0  <  ifc  <  n.  By  the  definition  of  <t",  <r".k  =  a'.k  for  all  0  <  k  <  n. 

2.  a.{k  -t- 1),  i  universally  quantified  and  0  <  1:  <  n.  Under  substitution  [<tI<t'], 

the  a.{k  -I-  t)’s  range  over  the  set  5,.  =  {<r'.k,<T'.{k  -\-  l),<r'.(k  -t-  2),...}.  Under 
substitution  the  <T.{k  -i-  i)’s  range  over  the  set  S„»  =  {(r".k,<r".{k  +  1), 

<T".(ifc-f  2), . . .},  By  the  definition  of  <t",  S„>  =  S„»  for  every  possible  k,0  <  k  <  n. 

Therefore,  from  M\oiP\[<tI<t'\  we  conclude  AI[o^J(<t/<t"|.  B 
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